4.3.2 Ensure DNS Filter logs all DNS queries and responses


DNS filter should log all DNS queries and responses.


DNS filter should log all DNS queries and responses (whether the DNS category is blocked, monitored, or allowed). This enables SOC or security analysts to do further investigations on security incidents, especially on threat hunting or incident response activities. Although there are many data sources that can provide DNS query logs (AD or EDR), this option should be enabled out of best practice and with the assumption that no other data source is available.


By default, allowed DNS is not logged. This creates a data gap in threat hunting or incident response activities.


Review DNS Filter Security Profiles and validate that 'Log all DNS queries and responses' is enabled.

Default Value:
